User-ID Features
New User-ID Feature Description
User-ID Redistribution Enhancement You can now relay user mapping information from one firewall to another in a sequence of up to ten hops instead of one. This increase in the relay sequence enables you to redistribute mapping information in a network that has hundreds of user identification sources or that has users who rely on local sources for authentication (for example, regional directory services) but who need access to remote resources (for example, global data center applications).
Ignore User List Configurable in Web Interface For the PAN-OS integrated User-ID agent, you can now use the firewall web interface as an alternative to the CLI to configure the ignore user list, which specifies the user accounts that don’t require IP address-to-username mapping (for example, kiosk accounts). Using the web interface is easier and reduces the chance of errors that might compromise the enforcement of user-based policies.
User Group Capacity Increase On a PA-5060 or PA-7000 Series firewall with a single virtual system, you can now base policies on up to 3,200 distinct user groups instead of 640. This ensures continued security on networks that use a large number of groups to control access to resources.

Related Documentation